<p>When a cookie is configured with the <code>HttpOnly</code> attribute set to <em>true</em>, the browser guaranties that no client-side script will
be able to read it. In most cases, when a cookie is created, the default value of <code>HttpOnly</code> is <em>false</em> and it’s up to the developer
to decide whether or not the content of the cookie can be read by the client-side script. As a majority of Cross-Site Scripting (XSS) attacks target
the theft of session-cookies, the <code>HttpOnly</code> attribute can help to reduce their impact as it won’t be possible to exploit the XSS
vulnerability to steal session-cookies.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> the cookie is sensitive, used to authenticate the user, for instance a <em>session-cookie</em> </li>
  <li> the <code>HttpOnly</code> attribute offer an additional protection (not the case for an <em>XSRF-TOKEN cookie</em> / CSRF token for example)
  </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> By default the <code>HttpOnly</code> flag should be set to <em>true</em> for most of the cookies and it’s mandatory for session /
  sensitive-security cookies. </li>
</ul>
<h2>Sensitive Code Example</h2>
<p><a href="https://www.npmjs.com/package/cookie-session">cookie-session</a> module:</p>
<pre>
let session = cookieSession({
  httpOnly: false,// Sensitive
});  // Sensitive
</pre>
<p><a href="https://www.npmjs.com/package/express-session">express-session</a> module:</p>
<pre>
const express = require('express'),
const session = require('express-session'),

let app = express()
app.use(session({
  cookie:
  {
    httpOnly: false // Sensitive
  }
})),
</pre>
<p><a href="https://www.npmjs.com/package/cookies">cookies</a> module:</p>
<pre>
let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  httpOnly: false // Sensitive
}); // Sensitive
</pre>
<p><a href="https://www.npmjs.com/package/csurf">csurf</a> module:</p>
<pre>
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { httpOnly: false }}); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<p><a href="https://www.npmjs.com/package/cookie-session">cookie-session</a> module:</p>
<pre>
let session = cookieSession({
  httpOnly: true,// Compliant
});  // Compliant
</pre>
<p><a href="https://www.npmjs.com/package/express-session">express-session</a> module:</p>
<pre>
const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    httpOnly: true // Compliant
  }
}));
</pre>
<p><a href="https://www.npmjs.com/package/cookies">cookies</a> module:</p>
<pre>
let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  httpOnly: true // Compliant
}); // Compliant
</pre>
<p><a href="https://www.npmjs.com/package/csurf">csurf</a> module:</p>
<pre>
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { httpOnly: true }}); // Compliant
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> <a href="https://owasp.org/www-community/HttpOnly">OWASP HttpOnly</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)">Top 10 2017 Category A7 - Cross-Site Scripting
  (XSS)</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1004">CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag</a> </li>
  <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE">HTTPONLY_COOKIE</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222575">Application Security and
  Development: V-222575</a> - The application must set the HTTPOnly flag on session cookies. </li>
</ul>
